This invention relates generally to communications networks and more particular to a virtual private network (VPN).
Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily lifexe2x80x94financial, medical, education, government, and communicationsxe2x80x94the concern over secure file access is growing. One method of providing security from unauthorized access to files is by implementing encryption and cipher techniques. These techniques convert data into other corresponding data forms in a fashion that is reversible. Once encrypted, the data is unintelligible unless first decrypted. DES, triple-DES and CAST are known encryption techniques that are currently believed to provide sufficient security for computer communications and files.
Historically, secure networks were achieved by preventing access to data within the network by those outside the network. Networks were formed of a number of computers interconnected by cables. No access to the network was permitted save through the use of one of the interconnected computers. In order to use these computers, it was necessary to be physically located within a building housing the network.
With the proliferation of modems, it became clear that remote access is a powerful tool. In order to provide remote access to network data, dial-up servers were maintained in communication with a public communication network such as a phone network. An individual wishing access to the network, connects to the dial-up server with a computer equipped with a modem or another appropriate communication device, logs into the network, and is then provided access to the network. In this fashion, network data is only communicated over communication channels within the physical network and over dedicated dial-up connections. This was commonly viewed as less secure than the physically isolated computer network, but due to its advantages became commonplace.
With the proliferation of the Internet and Internet-based communications, a need has arisen to provide secure communications via an unsecured public network. Encryption is commonly used to provide this security. For example, PGP (pretty good privacy) is an available encryption software product which implements a private-public key encryption system. Files are encrypted prior to transmission and then decrypted upon reception. The communicated file is secured by the encryption and is as secure as the encryption process used. For occasional file transfers, PGP and similar software products are excellent. Unfortunately, they are not well suited to network access via the public network.
In order to provide SVPNs, IPSEC (Internet Protocol Security) protocol suite was developed. IPSEC is a set of industry-standard extensions to the Internet Protocol (IP) that add security services. The suite contains protocols for an authentication header (AH) assuring data integrity, an encapsulating security payload (ESP) format ensuring data privacy, and a key management and exchange system (IKE). These industry-standard protocols allow for development and implementation of SVPNs.
Unfortunately, many commonly available network features are not available using these protocols alone. Also, flexibility is often compromised to ensure security. It would be advantageous to provide a high degree of flexibility, a broad range of network features, and a high level of security.
It is an object of this invention to provide an SVPN having increased flexibility and increased features over those currently available using the IPSEC protocol suite. In particular it is an object of the invention to provide a method of managing routing and resource availability using pseudo-static information.
In a first aspect, a method of transmitting first data within a secure virtual private network is provided. The method includes the step of storing static map data, the static map data being indicative of static gateways and of resources accessible therethrough, the static map data also including security information for use in authenticating each of the static gateways. The method also includes the step of selecting a resource to which to direct the first data; determining from the static map data a gateway for accessing the selected resource. The method further includes the step of establishing a communication with the determined gateway where certification data is obtained from the determined gateway for use in authenticating the determined gateway. The method further includes the step of authenticating the determined gateway based on the certification data and the security information from the static map data for the determined gateway. The method further includes the step of transmitting the first data to the determined gateway for provision to the selected resource.
The step of storing the static map data may be performed automatically.
The method may further include the step of updating the stored static map data.
The security information of the static map data may further include gateway authentication data.
The static map data may further include gateway forwarding data for accessing the plurality of static gateways.
The static map data may further include resource forwarding data for accessing the resources accessible through the plurality of static gateways.
The step of storing the static map data may further include storing the static map data on a workstation remote to the static gateways for which gateway authentication data and gateway forwarding data is stored within the static map data.
The static map data may further include gateway communication data being indicative of a manner of communicating securely with each of the static gateways
The gateway communication data for the static gateways may include data indicative of whether each of the plurality of static gateways supports tunneling.
The static map data may further include gateway security and communication data for the plurality of static gateways. The gateway security and communication data may be indicative of a security access procedure for accessing the plurality of static gateways securely and a manner of communicating securely with each of the plurality of static gateways. The communication established in the step of establishing the communication with the determined gateway and authenticating the determined gateway may be a secure communication and of a type indicated by the gateway security data and gateway communication data and secured in accordance therewith.
In a second aspect, a method of transmitting first data within a secure virtual private network is provided. The method includes the step of storing static map data, the static map data indicative of at least one static gateway, each static gateway having at least one resource accessible therethrough, the static map data being indicative of every resource accessible through each static gateway and comprising security information for use in authenticating each static gateway, the static map data being stored on a workstation remote from each static gateway. The method also includes the step of selecting a destination resource from a set consisting of every resource accessible through each static gateway, the first data for provisioning to the selected destination resource from the workstation. The method further includes the step of selecting from the stored static map data one static gateway through which to access the selected destination resource. The method further includes the step of establishing a communication between the workstation and the selected static gateway and authenticating the selected static gateway. The method further includes the step of transmitting the first data to the selected static gateway for provisioning to the selected destination resource.
In a third aspect, a method of routing first data within a secure virtual private network is provided. The method includes the step of storing a static map, the static map comprising gateway data related to at least one gateway and resource data related to at least one resource, the gateway data including gateway routing data, gateway connection data, gateway security data, and gateway authentication data, the resource data including resource routing data, each resource having a related gateway through which the resource is accessible. The method also includes the step of storing the static map on a workstation remote to each gateway for which gateway data is stored in the static map. The method further includes the step of selecting a destination gateway or destination resource to which to direct the first data. The method further includes the step of, if the destination resource is selected, determining from the static map data the gateway data for the related gateway to the destination resource, the related gateway constituting a routing gateway. The method further includes the step of, if the destination gateway is selected, determining from the static map data the gateway data for said destination gateway, the destination gateway constituting a routing gateway. The method further includes the step of establishing a secure communication with the routing gateway using the gateway routing data and the gateway communication data for the routing gateway, receiving certification data from the routing gateway and authenticating the routing gateway with which the communication is established using the gateway data for the routing gateway. The method further includes the step of transmitting the first data to the routing gateway and, if the destination resource is selected, routing the first data to the destination resource using the resource routing data.
In a fourth aspect, a method of transmitting message data within a network architecture that comprises an originating terminal from which to transmit said message data, a destination network and an intermediate network operatively connected therebetween is provided. The destination network includes at least one gateway for interfacing with the intermediate network, each gateway of the destination network corresponding to at least one resource of the destination network accessible therethrough. The method includes the step of storing static map data, the static map data being indicative of each gateway of the destination network and of each resource of the destination network accessible therethrough, the static map data further including security information for authenticating each gateway of the destination network. The method also includes the step of selecting a resource of the destination network to which to transmit the message data from the originating terminal. The method further includes the step of selecting from the static map data a gateway of the destination network, the selected resource being accessible from the selected gateway. The method further includes the step of establishing a communication with the selected gateway, where certification data is obtained from the selected gateway for use in authenticating the selected gateway. The method further includes the step of authenticating the selected gateway based on the certification data so obtained and on the security information stored in the static map. The method further includes the step of transmitting the message data from the originating terminal to the selected gateway for provision to the selected resource.